In this article

Access Control List

Overview

Access control lists are the data structure used to administer resource-based authorization. Subscription topic permissions endpoints are used to post, update, and delete access control list objects, and thus, grant and revoke access permission to users, devices, applications, and organizations.

Access Control Lists

An access control list has the following form:

{
    "id": "ID_OF_RESOURCE_TO_AUTH",
    "accesscontrolitems": {
        "sub:dev:DEvICE_ID": "PERMISSION",
        "sub:user:USER_ID": "PERMISSION",
        "sub:app:APPLICATION_ID": "PERMISSION",
        "org:ORG_ID": "PERMISSION"
    }
}

Permissions

In the case of Subscription service, ID_OF_RESOURCE_TO_AUTH would be the subscription topic id. The remaining ID fields in the example are the principal ids assigned by the identity management system. PERMISSION is one of the following:

owner: Currently given to the topic’s subscriber
admin: Currently given to the creator of the topic, if the creator is not the subscriber
readwrite: Can update the topic object
readonly: Can only read the topic object

Principals

A principal is denoted by PRINCIPAL_TYPE:PRINCIPAL_ID. Principal type is one of the following:

sub:user: Principal is a user
sub:dev: Principal is a device
sub:app: Principal is an application
org: Principal is an organization
group:ORGID: Principal is a group in organization denoted by ORGID

When a new subscription topic object is registered, a new access control list is automatically created with the topic subscriber assigned owner permissions and the requestor, if different than the subscriber, assigned admin permissions.